Remote Syslog configuration

[Beeez]

Hi,

Are there any recommendations for configuring remote syslog for the wazuh-manager-workers? I have this added to my config:

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>10.0.0.0/8</allowed-ips>
  </remote>

Does rsyslog need to be installed on the wazuh-managers in order for this to work? The documentation doesn't quite make this clear.

Does this mean I will need to build a custom wazuh-manager docker image with rsyslog included? If so I feel like this should be part of the default image.

[Wolvverine]

I have problem also.

App version: 4.5.3
App revision: 02

In docker stack for wazuh-manager:

    ports:
      - "2514:2514/tcp"
      - "2514:2514/udp"
      - "1514:1514"
      - "1515:1515"
      - "55000:55000"

I have in ossec.conf :

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp,udp</protocol>
    <queue_size>131072</queue_size>
    <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>
  <remote>
     <connection>syslog</connection>
     <port>2514</port>
     <protocol>tcp</protocol>
     <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>
  <remote>
     <connection>syslog</connection>
     <port>2514</port>
     <protocol>udp</protocol>
     <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>

tcpdump running on the host and in the container indicates that logs from fortigate and other devices are being sent and arriving.

netstat on host show:

# netstat -tulnp | grep 514
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      316202/docker-proxy
tcp        0      0 0.0.0.0:2514            0.0.0.0:*               LISTEN      316137/docker-proxy
tcp6       0      0 :::1514                 :::*                    LISTEN      316211/docker-proxy
tcp6       0      0 :::2514                 :::*                    LISTEN      316144/docker-proxy
udp        0      0 0.0.0.0:2514            0.0.0.0:*                           316159/docker-proxy
udp6       0      0 :::2514                 :::*                                316166/docker-proxy

in container:

root@wazuh:/#  netstat -tulnp | grep 514
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2514            0.0.0.0:*               LISTEN      -
udp        0      0 0.0.0.0:1514            0.0.0.0:*                           -
udp        0      0 0.0.0.0:2514            0.0.0.0:*                           -

However, after enabling the option:

    <logall>yes</logall>
    <logall_json>yes</logall_json>

Unfortunately, in the log files
cat /var/ossec/logs/archives/archives.log
cat /var/ossec/logs/archives/archives.json
There are no entries from syslog.
Of the agents on the servers are.

In fortigate config for syslog:

# config log syslogd setting
(setting) # show full-configuration 
config log syslogd setting
    set status enable
    set server "xxx.xxx.xxx.xxx"
    set mode reliable
    set port 2514
    set facility local7
    set source-ip "yyy.yyy.yyy.yyy"
    set format default
    set priority default
    set max-log-rate 0
    set enc-algorithm disable
    set interface-select-method auto
end

In logs:

Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10832). Listening on port 1514/TCP,UDP (secure).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10833). Listening on port 2514/TCP (syslog).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10834). Listening on port 2514/UDP (syslog).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  (1410): Reading authentication keys file.

Test from another host in network:

# nc -zv wazuh.local 2514
wazuh.local [xxx.xxxx.xxx.xxx] 2514 (?) open

[Wolvverine]

After update to 4.6.0 in logs:
cat /var/ossec/logs/archives/archives.log
cat /var/ossec/logs/archives/archives.json
I have entries from udp remote syslog on 2514 .

[kahramanakyil]

After enabling syslog at ossec.conf, only tcp is working however udp is not working on k8s.

secure 1514 tcp,udp 131072 0.0.0.0/0 syslog 514 tcp 0.0.0.0/0 syslog 514 udp 0.0.0.0/0

[crlsgms]

I'm having the same issue, using 4.8.0 and enable syslog on both master and worker configs

I see the port enabled and service comming up on the logs

sh-5.2# netstat -tulnnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN - udp 0 0 0.0.0.0:514 0.0.0.0:* -
but on the pod description the port is not enabled
Containers: wazuh-manager: Container ID: docker:https://417a225ed84bd8cfc1addb43638a2bcd7bb61d9293443a66425430f71a7700f8 Image: wazuh/wazuh-manager:4.8.0 Image ID: docker-pullable:https://wazuh/wazuh-manager@sha256:366f142ebb28920c41bf77af1dcded832a21e9d4ed9a63741656b43639592ca2 Ports: 1514/TCP, 1516/TCP Host Ports: 0/TCP, 0/TCP State: Running Started: Wed, 10 Jul 2024 22:14:59 +0000 Ready: True

how can it be enabled to receive syslogs?

edit: had to add another port on the deployment for 514 as its not on the base kustomization